Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
10/05/2022, 22:35
Static task
static1
Behavioral task
behavioral1
Sample
f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
Resource
win7-20220414-en
General
-
Target
f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
-
Size
4.6MB
-
MD5
f0fd5d38ffa54d8dfd6456c0b7a8664b
-
SHA1
36387a6cd5c900fb78e6fc67a88e84a472d05b61
-
SHA256
4e3056448e294407b47e08e4dd3364b14acc1fe05d602cbe3347e10800f925ae
-
SHA512
80b57e0e8feb4241631adfd73678ea8c4094397c4053855bfd3cce2d4762be8c67da46fe3e41b73766596723d370692cb31a75ba2bf475b40f2c4f2c1a9eb7db
Malware Config
Extracted
bitrat
1.38
https.myvnc.com:9111
-
communication_password
c4ca4238a0b923820dcc509a6f75849b
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1460 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 1460 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 1460 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 1460 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 1460 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 376 set thread context of 1460 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1836 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 1352 powershell.exe 1780 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 1352 powershell.exe Token: SeDebugPrivilege 1460 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe Token: SeShutdownPrivilege 1460 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1460 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 1460 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 376 wrote to memory of 1352 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 27 PID 376 wrote to memory of 1352 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 27 PID 376 wrote to memory of 1352 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 27 PID 376 wrote to memory of 1352 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 27 PID 376 wrote to memory of 1780 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 29 PID 376 wrote to memory of 1780 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 29 PID 376 wrote to memory of 1780 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 29 PID 376 wrote to memory of 1780 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 29 PID 376 wrote to memory of 1836 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 31 PID 376 wrote to memory of 1836 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 31 PID 376 wrote to memory of 1836 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 31 PID 376 wrote to memory of 1836 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 31 PID 376 wrote to memory of 1460 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 33 PID 376 wrote to memory of 1460 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 33 PID 376 wrote to memory of 1460 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 33 PID 376 wrote to memory of 1460 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 33 PID 376 wrote to memory of 1460 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 33 PID 376 wrote to memory of 1460 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 33 PID 376 wrote to memory of 1460 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 33 PID 376 wrote to memory of 1460 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 33 PID 376 wrote to memory of 1460 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 33 PID 376 wrote to memory of 1460 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 33 PID 376 wrote to memory of 1460 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 33 PID 376 wrote to memory of 1460 376 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rGucnaAeGqFkx.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rGucnaAeGqFkx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD624.tmp"2⤵
- Creates scheduled task(s)
PID:1836
-
-
C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1460
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5db859e33939e1d3f71f354b4de2d9ce1
SHA1cae69c1ce0a74afc32c1abd38918e7e38cf93a8d
SHA256c3f9ff42c9bcedd8fa46a824f3bc979bcf1e81bff4f74d26245eac32a852cdbd
SHA512188d7356d77b0f7d07ebf5d1a1f97cb81be5adcc8bfe2f9e4341bc705e3b31d3e95bfb22a751b6651f77309cae10736ad4e4c0fd0db6690047396d897fc83408
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD51be8301f3fe6d9c8632b565855a60f22
SHA102785613b6cc3b3e2794ad004ceae76ffa2a6eb6
SHA256357c3b078aa8ddefa354f97ce67113652a592303e222726858cdb575097f9bdb
SHA512516c6d8a314cf40bb64b8b9c2ba88345a8415a39cff02e48f19bdd58e83f53710c66958aec1281173d15d5f08c53a9903832bf06584d710b3fc2448e1d612670